critical
suspicious.secret_argv_exposure
- Location
- SKILL.md:41
- Finding
- Instructions pass high-value credentials through process argv.
Weibo Post Details API
AdvisoryAudited by Static analysis on May 10, 2026.
Overview
Detected: suspicious.secret_argv_exposure
Findings (1)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
What this means
Your JustOneAPI token could be exposed to other local processes or logs while the command runs, potentially allowing unauthorized use of your API account.
Why it was flagged
This puts the primary JustOneAPI credential into the helper process arguments. Process arguments can be exposed through local process listings, monitoring tools, crash/debug logs, or command wrappers.
Skill content
node {baseDir}/bin/run.mjs --operation "getWeiboDetailsV1" --token "$JUST_ONE_API_TOKEN" --params-json '{"id":"<id>"}'Recommendation
Prefer a version of the helper that reads the token directly from the environment or stdin instead of argv. Avoid running this on shared systems, and rotate the token if you believe it was exposed.
What this means
When invoked, the agent can call JustOneAPI for a supplied Weibo post ID and may consume API quota or reveal that lookup to the provider.
Why it was flagged
The helper performs a network request to the documented JustOneAPI endpoint. This is purpose-aligned and bounded to one operation, but users should understand that queried Weibo IDs are sent to JustOneAPI.
Skill content
"baseUrl": "https://api.justoneapi.com" ... "path": "/api/weibo/get-weibo-detail/v1" ... response = await fetch(url, requestInit);
Recommendation
Use the skill only for post IDs you intend to send to JustOneAPI, and monitor token/API usage according to your account policies.